Key Takeaways
- A critical vulnerability, tracked as CVE-2025-13878, has been discovered in BIND 9, a widely-used DNS server software.
- The vulnerability allows remote attackers to crash DNS servers by sending malformed records, creating a denial-of-service condition.
- The flaw affects multiple versions of BIND 9, including stable and preview editions, and can be exploited without authentication or special privileges.
- Organizations running affected versions should treat this as an immediate patching priority and upgrade to the corresponding patched version.
- No workarounds exist, and the simplicity of exploitation combined with BIND’s widespread deployment makes this a critical patching priority.
Introduction to the Vulnerability
The Internet Systems Consortium (ISC) has disclosed a critical vulnerability in BIND 9, a widely-used DNS server software. The flaw, tracked as CVE-2025-13878, enables remote attackers to crash DNS servers by sending malformed records. This vulnerability affects multiple versions of BIND 9, including stable and preview editions, and can be exploited without authentication or special privileges. The vulnerability exists in BIND’s handling of malformed BRID (Boundary Router Identifier) and HHIT (Host Identity Tag) records, which can cause the named daemon to terminate unexpectedly rather than handling the error gracefully.
Attack Vector and Impact
The attack vector for this vulnerability is remote, meaning that attackers can exploit it without having physical access to the affected system. The vulnerability can be exploited by sending malformed BRID or HHIT records to a vulnerable DNS server, which can cause the server to crash. This creates a reliable denial-of-service condition, making it difficult for legitimate users to access the affected system. Both authoritative DNS servers and recursive resolvers are affected, significantly expanding the potential attack surface. The security flaw impacts multiple BIND 9 release branches across both stable and preview editions, including BIND 9.18, BIND 9.20, and BIND 9.21.
Affected Versions and Patching Priority
The vulnerability affects multiple versions of BIND 9, including stable and preview editions. The affected versions include BIND 9.18.4 through 9.18.4, BIND 9.20.1 through 9.20.1, and BIND 9.21.1 through 9.21.1. Organizations running any of these versions should treat this as an immediate patching priority and upgrade to the corresponding patched version. The patched versions include BIND 9.18.44, BIND 9.20.18, and BIND 9.21.17. Preview Edition users should apply the corresponding S1 patched releases. It is essential to note that no workarounds exist, and the simplicity of exploitation combined with BIND’s widespread deployment makes this a critical patching priority.
Severity and CVSS Score
The ISC has assigned this vulnerability a CVSS v3.1 score of 7.5 (High severity). The complete vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, which indicates network-accessible exploitation with low complexity, no privileges required, and high impact on availability. No confidentiality or integrity impacts are present. The high severity of this vulnerability is due to the ease of exploitation and the potential impact on the availability of the affected system.
Discovery and Disclosure
The vulnerability was discovered by Vlatko Kosturjak from Marlink Cyber and disclosed responsibly to ISC. While no active exploits have been detected in the wild, the simplicity of exploitation combined with BIND’s widespread deployment makes this a critical patching priority. Organizations should treat this as an emergency update for all affected DNS infrastructure. It is essential to stay informed about the latest security updates and patches to ensure the security and integrity of critical infrastructure.
Conclusion and Recommendations
In conclusion, the critical vulnerability in BIND 9 is a significant threat to the security and integrity of DNS infrastructure. The vulnerability can be exploited remotely, and the simplicity of exploitation combined with BIND’s widespread deployment makes this a critical patching priority. Organizations should treat this as an immediate patching priority and upgrade to the corresponding patched version. It is essential to stay informed about the latest security updates and patches to ensure the security and integrity of critical infrastructure. By taking prompt action, organizations can minimize the risk of exploitation and ensure the continued availability and security of their DNS infrastructure.
